403 Error when user tries to login/register after searching

Question

When a logged out user searches and gets search results and tries to login or register from the search results page they get a 403 error.

For example if a user visits https://example.com a Q2A site then searches for the term, "equations".

The user then tries to login from that results page and they will be redirected to https://example.com/login?to=search%3Fq%3Dequations which gives a 403 error

Is this a bug or are there some permissions I should enable?

Thanks.

Comments

Found any solution, Same Problem is here?

---

Not yet, still investigating.

---

I'm unable to reproduce this issue

---

Apache2 Logs Related To This:
First Log:
[Thu Jan 02 10:12:32.179354 2025] [rewrite:error] [pid 1219839] [client 64.252.74.220:39940] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F
Second Log:
[Thu Jan 02 10:24:55.322595 2025] [rewrite:error] [pid 1222111] [client 64.252.98.84:5960] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F, referer: https://website.in/qa/search?q=xxxxxx

---

1. What Apache version are you running?
2. What URL structure are you using (in admin/general tab)?
3. What does your .htaccess file look like?

---

Options -Indexes
DirectoryIndex index.php

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Fix Double Slashes in URLs /
    RewriteCond %{REQUEST_URI} ^(.*)//(.*)$
    RewriteRule . %1/%2 [R=301,L]

    # Rewrite non-existing files or directories to index.php

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L]

</IfModule>

---

LATEST VERSION OF APACHE

---

I found, may be its apache latest version bug: https://stackoverflow.com/questions/78729429/403-forbidden-when-url-contains-get-with-encoded-question-mark-unsafeallow3f

---

do you have any solution,
We Fixed somehow, check: https://www.question2answer.org/qa/115326/403-error-when-user-tries-to-login-register-after-searching?show=115867#a115867

---

OK, but what is the x.y.z version of Apache you are using?

---

root@ip-11-10-24-142:~# apache2 -v
Server version: Apache/2.4.58 (Ubuntu)
Server built:   2024-10-02T12:40:51

---

I can see in Apache's web page that the latest version is:
2.4.62 (released 2024-07-17)

That is the one I'm using and I'm facing no issues. Can you try that one?

---

Am on 2.4.62 and fixed using the .htaccess code below:

# In order for the web server to process this file it must be renamed to ".htaccess"

Options -Indexes
DirectoryIndex index.php

<IfModule mod_rewrite.c>
    RewriteEngine On
    #RewriteBase /


    RewriteCond %{REQUEST_URI} ^(.*)//(.*)$
    RewriteRule . %1/%2 [R=301,L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L,PT,UnsafeAllow3F]
</IfModule>


This configuration resolves the URL encoding issue by ensuring that %3F is properly passed to the rewritten query string without being double-encoded or treated as an unsafe character. It also maintains compatibility with PHP processing and prevents accidental rule conflicts.

---

Can you confirm you still face the issue if you use this line in Apache 2.4.62?

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [B,L]

---

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [B,L] works on Apache 2.4.62

---

Remote-mysql-connection-not-working-over-ipv6, Have-any-idea?

https://www.question2answer.org/qa/115886/remote-mysql-connection-not-working-over-ipv6-have-any-idea

---

Still getting the 403 error even with the fix. Currently affects me when trying to log in while visiting the most viewed, voted, answered, etc. questions page filters. Also when viewing the no selected answer and no upvoted answer filters. Not just with search results.

---

my server uses php 8.4, but I could downgrade it to 8.2 and get the same error. Maybe this is a script-wide issue?

---

do you replace with in htacces : RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L,UnsafeAllow3F]

Answer 1

Same with me!

Answer 2

Yes, it's a Error. It would be nice if someone could fix this issue.

Answer 3

We fixed this problem some how but i dont know this is safe or not, but this is working

Reference: https://github.com/friendica/friendica/issues/14303

in q2a .htaccess file change this line:

FROM:

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L]

TO:

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L,PT,UnsafeAllow3F]

OR:

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L,UnsafeAllow3F]

Please tell me this is safe or not, if anyone knows.

Comments

There is clearly a security problem, but the documentation is very poor.
An Apache update to 2.4.60+ is strongly recommended.

https://stackoverflow.com/questions/78729429/403-forbidden-when-url-contains-get-with-encoded-question-mark-unsafeallow3f

---

The issue here is not question marks in URLs as such. It is url-encoded question marks in URLs that are used for serving static files.

Bad version:

    example.com/images?route=/cats/long-hair%3fsize=large
    example.com/login?returnto=/cats/long-hair%3fsize=large

Good versions:

    example.com/images/cats/long-hair?size=large
    example.com/login?returnto=/cats/long-hair&returntoparams=size%3dlarge

Answer 4

This is a security problem and very few hosters will soften the configuration to such an extent that it continues to work. The “UnsafeAllow3F” was introduced for this purpose until the codes have all been adapted.

As far as I know, the problem only occurs with the URL structure "/123/why-do-birds-sing (requires htaccess file)".
It works for me with all other settings.